Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

During the primaries, I'm very sure that folks like Fauxcohantas (err, Elizabeth Warren), Cuomo, and at least a few other Democrat candidates are going to want a shot at the job, and the Clintons have a *huge* amount of bones in the closet for the other Democrat candidates to drag out and show off (...and I'm talking skeletons that got shoved in there -after- Hilary's 2008 run.) Sure, the Clintons are a political powerhouse, but I suspect that the primaries are going to decimate her chances of winning; for one, she's a very polarizing figure, and two, assuming she even survives the primaries, she'll emerge from them too weakened to do much of anything.

In retrospect, the Democrats got lucky when Obama showed up, because the party's bench is pretty shallow at best, and has been for quite a few years now. In the present, looking at her GOP opposition, they're busy winnowing out the candidates *now*, a full year ahead of time (mostly due to the establishment/RINO versus Tea Party struggles), which will have the side effect of keeping the primary fighting to a minimum. Example? Well, the recent CPAC showed that the 'crowned' establishment candidate (Jeb Bush) got creamed in the straw polling, as did a lot of the retread 'perennial candidates' (e.g. Huckabee and his pals), and it showed that Christie wasn't going anywhere at all. Instead, like it or not, a handful of rather muscular candidates came out of the fray, and I suspect that the Democrats are going to need a lot more than Hillary to get anywhere. But again, their bench looks pretty shallow (if anyone on the DNC side of things know of someone who would make a better candidate that isn't as instantly polarizing, please speak up, but I have yet to see anyone...)

Weird... I suspect though that your experience is extremely localized.

Up here in Portland/PDX Metro, white folk is pretty much all you see, save for parts of Hillsboro (Latino), Beaverton (some East Asian, some Indian - nearly all of whom work for The Intel Corporation), and parts of 82nd St in East Portland (some Black, some Latino)... but even in these places, it's mostly crackers as far as the eye can see. Even "Chinatown" up here is mostly white. The small town of Cornelius (way west of Portland) has a very strong Latino population, but numbers-wise not that many.

You're dropping out of Obj-C for cross platform compatibility, because you're dealing with a low level Apple API, or because you want maximum speed for some part of the code. All these things are usually best served by C.

Cross-platform compatibility of C++ code is excellent these days, C++ can call low-level Apple APIs exactly as well as C, and there is no performance cost to C++ unless you choose it.

Unless you're concerned that you may need to target a platform not supported by a decent C++ compiler (which is really rare, given that gcc is basically everywhere), the only reason to choose C over C++ is personal preference or concern that some of the users of the code may not know C++.

The issue with FDE in Android has for long been the lack of combining strong passwords with a pattern lock or pin lock for unlocking the screen. In other words, your encryption key is only as strong as the pin code or password you are willing to put in every time you open your screen lock.

No, it doesn't. At least in Lollipop FDE-password is separate and you enter it at boot.

It's not separate. In stock Lollipop there is only one password, and it's used both for FDE and for screen unlock. Some customized ROMs (e.g. CM) have separated it, which allows you to choose a strong boot password and a more convenient unlock password. Stock Android didn't go that direction because too many users would set a strong boot password which they only use once every few weeks and therefore forget, losing all of their data.

Had I jumped to the Nexus 6 at the same time, however, that may not have been an issue.

As a recent Nexus 6 owner, I can confirm that encryption is enabled by default. I have not noticed any performance lag and the battery life has been really good.
I will admit, I'm coming from an 'ancient' phone, so maybe that's why I think it's fast enough; way faster than my old phone.

As mentioned by Gaygirlie, a big factor is the AES-NI instruction in the ARMv8 instruction set supported by your Nexus 6. It dramatically reduces the performance and power hit of AES operations.

(I'm a member Android Security team who worked on bits of Lollipop FDE)

The issue with FDE in Android has for long been the lack of combining strong passwords with a pattern lock or pin lock for unlocking the screen. In other words, your encryption key is only as strong as the pin code or password you are willing to put in every time you open your screen lock.

For Lollipop, a big change to FDE was the inclusion of a hardware-backed key in the key derivation function (KDF) for the FDE master key encryption key. This provides two benefits:

1) It means that a dump of the contents of your encrypted flash is useless without the device.

2) It means that brute force search of your PIN/pattern/password space is serialized and rate-limited by the performance of the device. In a way this means that faster devices are less secure, though we also apply a device-tuned scrypt function as part of the KDF, which compensates in the case of an attacker who tries to perform the entire attack on-device.

The best attack against Lollipop FDE, on a device with HW-backed credentials, is to dump the data from the device flash, then flash a custom OS which makes calls into the HW crypto to create an oracle, processing a stream of requests and returning the responses. Then you do a brute force attack with a mixture of on-device and off-device resources, computing the first scrypt function offline, then performing the on-device crypto operation, then taking the results of that and performing the second scrypt function offline, which you then use to try to decrypt the FDE master key, offline.

The fastest devices on the market today will perform the HW-backed crypto operation in about 50 ms. Assuming everything is pipelined properly, this is the brute force attempt rate: 20 attempts per second. With a four-digit PIN, this is negligible: the entire space can be searched in 8 minutes. However, a six-character alphanumeric password (random, all lowercase) would take 630 days, on average, to break. That's pretty reasonable security.

In theory. In practice it would take much longer than that. I tried running this test on a Nexus 9 and found the device kept throttling itself because it got too hot, plus even with a 2A charger it consumed more power than was being provided to it, so I had to stop when the battery died and wait for it to recharge.

Pre-Lollipop, and even on Lollipop devices that lack HW-backed crypto, you can conduct the entire attack off-line, parallelized, on however much hardware you care to throw at it. I can't make any promises about the future, but I will say that I, personally, really want to significantly improve Android FDE in the future. I have changes in mind that will make brute force essentially impossible, unless you can break into the Trusted Execution Environment.

Bah. Outright falsehood-pushing "journalism" is as old as journalism, and the online version of it as old as online journalism. Wikipedia has been abused as long as it has existed, and the Woozle Effect is also nothing new -- indeed the name and awareness of the phenomenon predates the existence of ARPANET, much less the Internet.

While I do wish the kids would go outside and play, it's not minecraft that's the problem, it's just the way kids are in the time of "playdates". Minecraft however is such a great game for them. It basically replaces the hours I spent with lego. I find hardcore first person shooters psychically disturbing so I'm greatly relieved when they find shooting sheep with enchanted diamond bows or building cat fountains amusing. Its similar to the way I used to build lego things that I could smash. Even better with things like raspberry pi, you can write in your own python code to build stuff or launch other people in the air when they come into your house.

The very best feature of minecraft is that there is no objective at all. Again like lego. it's up to you and your imagination. It just gives you an organized platform for creating.

What will MS do? I was afraid they might shutdown the python API on raspberry pi but they just released Windows for free on the new raspberry pi, so it looks like they might embrace it even more. I think Microsoft is finally re-learning how they became successful by being the low cost alternative to apple and IBM. they want the love again. Market share uber alles.

I suspect they might pervert it the way lego has been perverted by selling specialized kits that just build one thing. So they might sell pre-built minecraft worlds with various happy-meal like themes. Or hook it into microsoft live where you gotta pay the man a subscription to live in the microsoft amusement park. I would really resent that because kids come and go from their toy interests and so a subscription for something they are not using would hurt.

An anonymous reader writes "Microsoft spent billions purchasing Mojang, the studio behind the game Minecraft, and while it's unlikely to start work on a sequel anytime soon, rather than continue development of the game, it's worth considering what a Minecraft 2 will look like. After all, as a public company with revenues to justify, it doesn't seem beyond unreasonable a few years down the line, especially since a Minecraft-like game was one of the stand-out tech demos shown for the software giant's HoloLens augmented reality headset. As the author points out, Microsoft will have to tread carefully, tackling issues like whether greater graphical fidelity is actually what players will want ever — and whether to continue to support Minecraft on PlayStation."

In careful consideration of this, and in light of the seriousness of the problem, I have determined that the appropriate reaction is to seize Canada. I'm pretty sure that congress will determine the commerce clause covers it, anyway. I'm writing my crook^w legislator this evening.